Execution environment file inventory

US 9,576,142 B2
Filed: 10/03/2013
Issued: 02/21/2017
Est. Priority Date: 03/27/2006
Status: Active Grant

First Claim

Patent Images

1. One or more non-transitory computer readable media having container management and protection logic encoded therein for managing a system of containers accessible to a computer system, wherein the container management and protection logic, when executed by one or more processors, is to:

intercept, dynamically, an operation request in the computer system that is to affect a targeted container in the system of containers;

identify the targeted container of the intercepted operation request;

analyze an inventory of a plurality of protected containers in the system of containers to determine if an identifier of one of the plurality of protected containers corresponds to an identifier of the targeted container;

identify an entity associated with an initiation of the operation request;

analyze, if the identifier of one of the plurality of protected containers corresponds to the identifier of the targeted container, one or more change authorization policies to determine whether the identified entity is authorized to update the targeted container;

allow the operation request to be performed if it is determined that the identified entity is authorized to update the targeted container;

generate a new identifier for the targeted container after the operation request is performed; and

update the inventory with the new identifier, wherein the new identifier is useable to verify integrity of the targeted container.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is described to maintain (including generate) an inventory of a system of a plurality of containers accessible by a computer system. At least one container is considered to determine whether the container is executable in at least one of a plurality of execution environments characterizing the computer system. Each execution environment is in the group comprising a native binary execution environment configured to execute native machine language instructions and a non-native execution environment configured to execute at least one program to process non-native machine language instructions to yield native machine language instructions. The inventory is maintained based on a result of the considering step. The inventory may be used to exercise control over what executables are allowed to execute on the computer system.

409 Citations

23 Claims

1. One or more non-transitory computer readable media having container management and protection logic encoded therein for managing a system of containers accessible to a computer system, wherein the container management and protection logic, when executed by one or more processors, is to:
- intercept, dynamically, an operation request in the computer system that is to affect a targeted container in the system of containers;
  
  identify the targeted container of the intercepted operation request;
  
  analyze an inventory of a plurality of protected containers in the system of containers to determine if an identifier of one of the plurality of protected containers corresponds to an identifier of the targeted container;
  
  identify an entity associated with an initiation of the operation request;
  
  analyze, if the identifier of one of the plurality of protected containers corresponds to the identifier of the targeted container, one or more change authorization policies to determine whether the identified entity is authorized to update the targeted container;
  
  allow the operation request to be performed if it is determined that the identified entity is authorized to update the targeted container;
  
  generate a new identifier for the targeted container after the operation request is performed; and
  
  update the inventory with the new identifier, wherein the new identifier is useable to verify integrity of the targeted container.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The one or more non-transitory computer readable media of claim 1, wherein one or more of the plurality of protected containers in the inventory are executable in at least one of a plurality of execution environments characterizing the computer system, wherein the execution environments include:
    - a native binary execution environment; and
      
      a non native binary execution environment.
  - 3. The one or more non-transitory computer readable media of claim 2, wherein at least one of the plurality of protected containers in the inventory is not executable in any of the execution environments characterizing the computer system.
  - 4. The one or more non-transitory computer readable media of claim 1, wherein the container management and protection logic, when executed by the one or more processors, is to:
    - block the operation request if it is determined that the identified entity is not authorized to update the targeted container.
  - 5. The one or more non-transitory computer readable media of claim 1, wherein the determination of whether the identified entity is authorized to update the targeted container is based, at least in part, on a categorization of the identified entity, wherein the categorization is based on one of at least three types of authorizations associated with updating the plurality of protected containers.
  - 6. The one or more non-transitory computer readable media of claim 1, wherein the identified entity is determined to be authorized to update the targeted container if the identified entity is categorized as an anytime updater that is authorized to make changes at any time to containers identified in the inventory of protected containers.
  - 7. The one or more non-transitory computer readable media of claim 1, wherein the container management and protection logic, when executed by the one or more processors, is to:
    - determine the computer system is in an update mode if the analysis of the one or more change authorization policies indicates that changes to the plurality of protected containers are currently allowed by entities categorized as sometime updaters, wherein the identified entity is determined to be authorized to update the targeted container if the identified entity is categorized as a sometime updater.
  - 8. The one or more non-transitory computer readable media of claim 1, wherein the identified entity is determined to be unauthorized to update the targeted container if a current mode of the computer system is a mode other than an update mode and the identified entity is not categorized as an anytime updater that is authorized to make changes at any time to containers identified in the inventory of protected containers.
  - 9. The one or more non-transitory computer readable media of claim 1, wherein the identified entity is determined to be unauthorized to update the targeted container if the identified entity is categorized as a non-updater, wherein a non-updater is prohibited from making changes to containers identified in the inventory of protected containers.
  - 10. The one or more non-transitory computer readable media of claim 1, wherein the entity is one of a user and a software program.
  - 11. The one or more non-transitory computer readable media of claim 1, wherein the determination of whether the identified entity is authorized to update the targeted container is based, at least in part, on a digital authentication of at least one of the operation request and the identified entity.
  - 12. The one or more non-transitory computer readable media of claim 1, wherein the determination of whether the identified entity is authorized to update the targeted container is dependent on a particular date and time at which the operation request is received by the computer system.
  - 13. The one or more non-transitory computer readable media of claim 1, wherein the determination of whether the identified entity is authorized to update the targeted container is dependent on at least one of a nature of the operation request and one or more attributes of the targeted container.
  - 14. The one or more non-transitory computer readable media of claim 1, wherein the operation request is associated with a writing operation, a renaming operation, a moving operation, or a deleting operation of the targeted container.
  - 15. The one or more non-transitory computer readable media of claim 1, wherein the inventory is compared to a gold image inventory in order to identify a particular delta between the inventories, and wherein updates for the computer system are blocked if the updates cause the delta to exceed a predetermined threshold.
  - 16. The one or more non-transitory computer readable media of claim 1, wherein the inventory is a centrally maintained inventory for a plurality of hosts and is used to authorize additional operation requests that can change one or more of the plurality of containers relating to the computer system.

17. An apparatus, comprising:
- a computer system that includes;
  
  an execution unit;
  
  a memory element including code for execution; and
  
  a storage system that couples to the execution unit and that includes a system of containers accessible to the computer system, the system of containers including a plurality of protected containers that collectively form an inventory of protected containers for the computer system, wherein the code for execution, when executed by one or more processors, is to;
  
  intercept, dynamically, an operation request that is to affect a targeted container;
  
  identify the targeted container of the intercepted operation request;
  
  analyze the inventory of protected containers to determine if an identifier of one of the plurality of protected containers corresponds to an identifier of the targeted container;
  
  identify an entity associated with an initiation of the operation request;
  
  analyze, if the identifier of one of the plurality of protected containers corresponds to the identifier of the targeted container, one or more change authorization policies to determine whether the identified entity is authorized to update the targeted container;
  
  allow the operation request to be performed if it is determined that the identified entity is not authorized to update the targeted container;
  
  generate a new identifier for the targeted container after the operation request is performed; and
  
  update the inventory with the new identifier, wherein the new identifier is useable to verify integrity of the targeted container.
- View Dependent Claims (18, 19, 20, 21, 22, 23)
- - 18. The apparatus of claim 17, wherein the one or more of the plurality of protected containers in the inventory are executable in at least one of a plurality of execution environments characterizing the computer system, wherein the execution environments include:
    - a native binary execution environment; and
      
      a non native binary execution environment.
  - 19. The apparatus of claim 17, wherein the determination of whether the identified entity is authorized to update the targeted container is based, at least in part, on a categorization of the identified entity, wherein the categorization is based on one of at least three types of authorizations associated with updating the plurality of protected containers.
  - 20. The apparatus of claim 17, wherein the identified entity is determined to be authorized to update the targeted container if the identified entity is categorized as an anytime updater that is authorized to make changes at any time to containers identified in the inventory of protected containers.
  - 21. The apparatus of claim 17, wherein the code for execution, when executed by one or more processors, is to:
    - determine the computer system is in an update mode if the analysis of the one or more change authorization policies indicates that changes to the plurality of protected containers are currently allowed by entities categorized as sometime updaters, wherein the identified entity is determined to be authorized to update the targeted container if the identified entity is categorized as a sometime updater.
  - 22. The apparatus of claim 17, wherein the identified entity is determined to not be authorized to update the targeted container if a current mode of the computer system is a mode other than an update mode and the identified entity is not categorized as an anytime updater that is authorized to make changes at any time to containers identified in the inventory of protected containers.
  - 23. The apparatus of claim 17, wherein the identified entity is determined to not be authorized to update the targeted container if the identified entity is categorized as a non-updater, wherein a non-updater is prohibited from making changes to containers identified in the inventory of protected containers.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Bhargava, Rishi, Sebes, E. John
Primary Examiner(s)
Vu, Tuan

Application Number

US14/045,208
Publication Number

US 20140101783A1
Time in Patent Office

1,237 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/31   User authentication

G06F 21/44   Program or device authentic...

G06F 21/53   by executing in a restricte...

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/60   Protecting data

G06F 21/6218   to a system of files or obj...

G06F 2221/2149   Restricted operating enviro...

Execution environment file inventory

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

409 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Execution environment file inventory

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

409 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links